Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

Chris_S2

1 Message

2060

May 29th, 2015 15:00

RBAC Cannot Run ISI_SUPPORT Commands

Hello,

Trying to configure RBAC for some of our AD domain users to perform administration duties on our Isilons.

So far I have added a new role and added a user to that role.  The user can login via SSH and run a number of commands via sudo, but still cannot run the commands defined under the ISI_SUPPORT section in the /usr/local/etc/sudoers file.  We need to run these commands just about every day (isi_hw_status, isi_gather_info, isi_radish, etc..)

Is there a way to enable these commands via the RBAC without modifying the sudoers file (or having to log in as root)?  We have 20 Isilons, so trying to keep it as simple as possible.

All of the below is on the Isilon Simulator v7.1.1.4

SIM7114-1% isi auth ads list

Name         Authentication  Status  Site

-----------------------------------------------------

BIG.DOMAIN.COM Yes             online

-----------------------------------------------------

SIM7114-1% whoami

DOMAIN\AdminGuy

SIM7114-1% isi_hw_status

zsh: permission denied: isi_hw_status

SIM7114-1% sudo isi_hw_status

Password:

Sorry, user DOMAIN\AdminGuy is not allowed to execute '/usr/bin/isi_hw_status' as root on SIM7114-1.

SIM7114-1# isi auth roles view StorageAdmin

       Name: StorageAdmin

Description: -

    Members: DOMAIN\AdminGuy

Privileges

             ID: ISI_PRIV_LOGIN_CONSOLE

      Read Only: True

             ID: ISI_PRIV_LOGIN_PAPI

      Read Only: True

             ID: ISI_PRIV_LOGIN_SSH

      Read Only: True

             ID: ISI_PRIV_SYS_SUPPORT

      Read Only: True

             ID: ISI_PRIV_ANTIVIRUS

      Read Only: False

             ID: ISI_PRIV_AUDIT

      Read Only: False

             ID: ISI_PRIV_CLUSTER

      Read Only: False

             ID: ISI_PRIV_DEVICES

      Read Only: False

             ID: ISI_PRIV_EVENT

      Read Only: False

             ID: ISI_PRIV_FTP

      Read Only: False

             ID: ISI_PRIV_HDFS

      Read Only: False

             ID: ISI_PRIV_HTTP

      Read Only: False

             ID: ISI_PRIV_ISCSI

      Read Only: False

             ID: ISI_PRIV_JOB_ENGINE

      Read Only: False

             ID: ISI_PRIV_LICENSE

      Read Only: False

             ID: ISI_PRIV_NDMP

      Read Only: False

             ID: ISI_PRIV_NETWORK

      Read Only: False

             ID: ISI_PRIV_NFS

      Read Only: False

             ID: ISI_PRIV_NTP

      Read Only: False

             ID: ISI_PRIV_QUOTA

      Read Only: False

             ID: ISI_PRIV_REMOTE_SUPPORT

      Read Only: False

             ID: ISI_PRIV_SMARTPOOLS

      Read Only: False

             ID: ISI_PRIV_SMB

      Read Only: False

             ID: ISI_PRIV_SNAPSHOT

      Read Only: False

             ID: ISI_PRIV_SNMP

      Read Only: False

             ID: ISI_PRIV_STATISTICS

      Read Only: False

             ID: ISI_PRIV_SYNCIQ

      Read Only: False

             ID: ISI_PRIV_VCENTER

      Read Only: False

             ID: ISI_PRIV_WORM

      Read Only: False

johnsonka

130 Posts

June 12th, 2015 10:00

Hello Chris_S,

Thank you for your question! Peter_Sero is correct here, there is no corresponding RBAC privilege to the commands you mentioned. The workaround he mentions will be sufficient to run these commands. In my testing, I am using a local user, but you can accomplish this with a domain user should you need to:

cluster-1# isi_visudo

## Sudoers override file.

##

## This file overrides the default configuration for sudo as provided by

## Isilon. The defaults can be found at /etc/mcp/templates/sudoers. Do not

## edit /etc/mcp/templates/sudoers.

##

## To add additional command permissions, enter the appropriate configuration

## lines below. To remove a command provided by default, enter a negation line

## below.

##

## Example:

##

## To prevent admin from running SyncIQ, uncomment the line below:

## admin ALL=(ALL) !/usr/bin/isi sync*

##

ktjoh ALL=(ALL) ISI_SUPPORT

~

/etc/mcp/override/sudoers.tmp: 16 lines, 538 characters.

isi_visudo: Warning: Cmnd_Alias `ISI_SUPPORT' referenced but not defined

cluster-1# su ktjoh

cluster-1% isi_hw_status

zsh: permission denied: isi_hw_status

cluster-1% sudo isi_hw_status

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.

    #2) Think before you type.

    #3) With great power comes great responsibility.

Password:

  SerNo: SX200-301113-0027

Config: 400-0034-01

FamCode: X

ChsCode: 2U

GenCode: 00

Product: X200-2U-Single-24GB-4x1GE-5632GB-200GB SSD

Comps:  Chassis CPU     Motherboard     NVRam   FlashDrive      Disk_Controller Disk_Expander   Power_Supplies

Chassis: ISI12V2 (Isilon 12-Bay(V2) Chassis)

Peter_Sero

4 Operator

 • 

1.2K Posts

June 3rd, 2015 03:00

The ISI_SUPPORT command set is only relevant within the sudoers file,

and cannot be linked to any RBAC roles. As there is no corresponding "ISI_PRIV_SUPPORT"

privilege; and one cannot create new RBAC privileges...

Seems you have to stick with the plain sudoers mechanism:

use isi_visudo to add

thisusername     ALL=(ALL) NOPASSWD: ISI_SUPPORT

hth

-- Peter

Was this post helpful?

View All

0 events found

No Events found!

Top